Code: 403 signing digest: transit: failed to sign payload: Error making API request
Closed this issue · 4 comments
I am getting a 403 permission error when I would like to sign an image with cosign and vault with transit engine in GitHub action. I did not face any issues while authenticating Vault from our GitHub.
What I am doing wrong? It seems, it's a policy issue but what is wrong with below policy?
URL: PUT https://xxx/v1/transit/sign/cosign/sha2-256
Code: 403. Errors:
* 1 error occurred:
* permission denied
vault policy write docker-action - <<EOF
path "transit/*" {
capabilities = [ "create","read","update","list" ]
}
EOF
vault write auth/github-oidc/role/docker-action -<<EOF
{
"role_type": "jwt",
"user_claim": "workflow",
"bound_subject": "",
"bound_audiences": "https://github.com/xxx",
"bound_claims_type": "glob",
"policies": "docker-action",
"ttl": "1h"
}
EOF
This is the step in action
- name: Sign image with a key
if: ${{ inputs.sign }}
run: |
cosign sign --key hashivault://cosign \
-a "repo={{ github.repository }}" \
-a "repo={{ github.workflow }}" \
-a "ref={{ github.sha }}" \
${{ inputs.images }}@${{ env.IMAGE_DIGEST }}
env:
VAULT_ADDR: https://vault.internal.com
VAULT_TOKEN: ${{ env.VAULT_TOKEN }}
shell: bash
The policy looks good to me. Please can you also add the vault-action step configuration? Perhaps there is a mismatch in namespaces? And does the VAULT_ADDR match up between auth and cosign? And last thing I can think of off the top of my head - is the VAULT_TOKEN env definitely getting populated? (Value should show as *** for the step in the github action logs)
This is the vault step. As far as I understood, GitHub can able to authenticate Vault. Do you see any issue in the role itself? Should I use bound_claims
with the repository?
- name: Import Secrets
uses: hashicorp/vault-action@v2.4.3
if: ${{ inputs.sign }}
id: secrets
with:
exportEnv: false
exportToken: true
url: https://vault.internal.com
namespace: devsup
path: github-oidc
method: jwt
role: docker-action
Thanks for those details, I think it is Vault namespaces tripping you up. In the vault-action config, you're logging in within a namespace: namespace: devsup
. Then cosign
is trying to use transit in the root namespace, because there's no namespace config, and that fails because a child namespace can't access its parent namespace by default.
I had a quick look at the Vault client in cosign
, and it looks like it uses the Vault SDK, so you should be able to fix this by adding VAULT_NAMESPACE: devsup
to the env map of the cosign step.
@tomhjp it's worked, really thanks a lot for your kind support.